[00:01.620 --> 00:05.840]  Hello, DEF CON Lockpick Village. Super excited to be here.
[00:05.900 --> 00:09.740]  This is my talk, Doors, Cameras, and Mantraps. Oh my!
[00:09.840 --> 00:13.740]  An overview about the ins and outs of physical security risk assessment.
[00:13.960 --> 00:19.040]  If you are curious about pursuing this as a career option, you are in the right place.
[00:19.040 --> 00:21.160]  If you want to learn about lockpicking,
[00:21.160 --> 00:24.760]  I'll mention some sources that can help with that later on in the talk.
[00:28.760 --> 00:30.700]  Here is a quick intro.
[00:30.700 --> 00:34.180]  I am The Magician, or Dylan, whichever you prefer.
[00:34.360 --> 00:38.740]  I am a member of the Open Organization of Lockpickers in Orlando.
[00:38.740 --> 00:41.840]  I am a security consultant with Gold Sky Security.
[00:42.120 --> 00:45.540]  I teach cybersecurity at the University of Central Florida.
[00:45.540 --> 00:46.560]  Go Knights!
[00:46.640 --> 00:49.700]  And I am an overall security enthusiast.
[00:49.700 --> 00:52.640]  This is really a hobby for me, as much as a career.
[00:54.800 --> 01:00.380]  What I do is straightforward. I explore client sites with the defenders in tow,
[01:00.380 --> 01:04.720]  so I can demonstrate for them any physical security vulnerabilities I spot.
[01:05.400 --> 01:10.540]  Bringing the client defenders with me allows for a teach-back while on-site,
[01:10.540 --> 01:14.460]  instead of solely in our report. It is an absolute blast.
[01:15.340 --> 01:18.040]  This mostly summarizes the process.
[01:18.120 --> 01:21.700]  I show them the vulnerability, and I tell them the mitigation.
[01:24.470 --> 01:27.190]  So, what are we going to discuss in this talk?
[01:27.190 --> 01:30.510]  This is not a lockpicking or how-to talk.
[01:30.510 --> 01:33.550]  This is more a talk about the processes and procedures,
[01:34.170 --> 01:40.230]  mostly about what we look for and how we relay the information to the clients.
[01:40.810 --> 01:46.530]  I will cover physical security controls, key questions I ask my clients,
[01:46.530 --> 01:50.270]  and how I go about educating the clients about risk mitigation.
[01:50.550 --> 01:54.270]  At the end, I'll talk about how to approach this field.
[01:56.450 --> 01:59.870]  Physical security controls start with the front door, I think.
[01:59.870 --> 02:02.950]  So, I want to start with doors and windows.
[02:05.160 --> 02:11.500]  There are a lot of mechanical components to doors, but here's a short list I tackle.
[02:11.500 --> 02:17.460]  Do perimeter doors have the hinges exposed to the outside? Those hinges can be exploited.
[02:18.160 --> 02:21.420]  Can I slide something between the latch and the strike plate
[02:21.420 --> 02:24.800]  to pull the door open without a key or combination?
[02:25.220 --> 02:30.700]  Can I get tools over or under the doors to manipulate the door handles?
[02:31.340 --> 02:35.000]  If I run across double doors, can I manipulate crash bars,
[02:35.000 --> 02:39.500]  those bars that go across the middle of doors that you can kind of push open with your hip
[02:39.500 --> 02:45.980]  so you don't need to use a knob or a handle? These are all resolvable exploits.
[02:48.550 --> 02:52.830]  While some windows can be opened or manipulated in similar ways,
[02:52.830 --> 02:57.390]  they offer different challenges. In a lot of office spaces,
[02:57.390 --> 03:00.290]  some clients don't have policies about shoulder surfing
[03:00.290 --> 03:04.270]  or looking over the shoulder of a user to obtain information.
[03:04.710 --> 03:09.750]  This is a physical security risk. If someone is trying to establish
[03:10.310 --> 03:15.810]  a good time for physical entry, maybe just what PC operating systems are being used,
[03:15.810 --> 03:21.370]  or even information as simple as what browser type a particular company is using,
[03:21.370 --> 03:24.670]  looking through a window is really low effort.
[03:24.730 --> 03:30.270]  This clip, by the way, is very much not a risk model my clients have ever asked me to test.
[03:33.660 --> 03:39.920]  The next physical controls are fencing and bollards. Both are passive and require little
[03:39.920 --> 03:44.560]  maintenance in most cases. Even though some folks are scratching their heads about what
[03:44.560 --> 03:52.980]  bollards are, don't worry, you've seen them before. Fencing is obvious, maybe folks have
[03:52.980 --> 03:59.740]  them in their homes or at work maybe. Fencing establishes a clear perimeter,
[03:59.740 --> 04:06.000]  if locked, clearly sets an expectation of limited access. It would take a heck of an improviser
[04:06.000 --> 04:12.020]  to explain to a guard why you are walking around a parking lot or building at a locked and closed
[04:12.020 --> 04:18.760]  facility. It's also near impossible to scale a fence in most environments without attracting
[04:18.760 --> 04:27.760]  attention, unless in a very rural location. You have all seen bollards before, they are
[04:27.760 --> 04:33.240]  the reinforced obstacles that prevent the use of a vehicle as a battering ram to create a point
[04:33.240 --> 04:39.240]  of entry in an otherwise defended structure. This is a very fancy hydraulically assisted version, but
[04:41.360 --> 04:47.420]  here we are at a Target. Remember when we used to go to Target in 2019 for groceries?
[04:47.420 --> 04:54.620]  Those were the days. In front of the store, these steel reinforced concrete spheres are not just to
[04:54.620 --> 04:59.520]  look cool, they actually prevent people from running their cars into the glass doors to gain
[04:59.520 --> 05:08.800]  access in off hours to steal random stuff. It's a pretty simple passive risk mitigation, I think.
[05:08.800 --> 05:19.060]  Full bonus, I just find it fun to say bollards. Next up are Mantraps. This is a super cool concept.
[05:22.520 --> 05:28.940]  Mantraps are completely underutilized. Sure, it's a challenge to get people through them, you'll
[05:28.940 --> 05:34.900]  understand why a flow of people can be interrupted in a moment, but I think they are really awesome.
[05:35.000 --> 05:39.420]  Many banks have them, and after seeing the next slide, I'm willing to bet a few of you are going
[05:39.420 --> 05:47.040]  to be sitting at home saying, holy cow, I've totally seen those. This is a great scene from
[05:47.040 --> 05:51.720]  the movie Sneakers, my personal favorite hacker movie. The lead character, Bishop,
[05:51.720 --> 05:57.800]  walks through a glass sliding door after using a magnetic stripe reader. The door closes behind him,
[05:57.800 --> 06:04.120]  and another door is in his way that uses a biometric reader. Now he has to get past that.
[06:04.580 --> 06:08.160]  Super neat control that I would love to see in more places.
[06:11.070 --> 06:15.870]  Cameras are a great security control for several reasons. If you have the means,
[06:15.870 --> 06:22.070]  I encourage you all to grab some power over ethernet or wi-fi cameras and try hacking them.
[06:24.600 --> 06:30.180]  Cameras are in most businesses and some homes now. If you have the funding at a job site,
[06:30.180 --> 06:37.600]  you can even have your cameras actively monitored in a SOC or security operations center. Lots of
[06:37.600 --> 06:43.900]  small to mid-sized businesses just record video and reference it in incident response if something
[06:43.900 --> 06:50.980]  goes wrong for forensic purposes. Video is easy to store and you could find out who took company
[06:50.980 --> 06:57.060]  property maybe after they got terminated or who was negligent in some security policy. There are
[06:57.060 --> 07:02.140]  many technologies in the world of cameras, but I firmly believe that wi-fi cameras specifically
[07:02.140 --> 07:09.800]  are a poor choice. Please reach out for that soapbox rant if you like. A fun fact about a lot
[07:09.800 --> 07:19.020]  security cameras is that often they aren't even powered on at job sites. Because I love
[07:19.020 --> 07:25.160]  surveillance cameras and have several to tinker with at home, my oldest son has developed a
[07:25.160 --> 07:30.440]  curiosity around them and likes to point them out when we are at theme parks here in Orlando.
[07:30.440 --> 07:35.760]  He can quite accurately count the number of cameras on the walk up to a structure.
[07:35.760 --> 07:40.400]  Would you have seen the two massive dome cameras on top of this archway at Universal Studios
[07:40.400 --> 07:47.240]  Florida if I had not put boxes in this photo? Heck, I can't even see them hardly with the boxes,
[07:47.240 --> 07:51.360]  but I assure you if you go to Google Maps, they are there. Go check it out.
[07:54.080 --> 07:59.940]  For electronic access, I am going to do a very light touch because it is quite a dense topic.
[08:02.720 --> 08:08.460]  Most of you are in an office environment and have some token that grants you access.
[08:09.040 --> 08:14.460]  A radio frequency ID badge that you wave in front of a reader that opens a magnetic
[08:14.460 --> 08:20.000]  sealed door might be your front door. A pin code that is shared among employees
[08:20.000 --> 08:25.420]  and janitorial staff might get you into privileged rooms. Maybe a fingerprint even
[08:25.420 --> 08:31.720]  unlocks the laptop at your desk. Grocery stores even have electronic sensors that
[08:31.720 --> 08:35.820]  know when someone is there and detect motion and open for you.
[08:38.200 --> 08:45.040]  All of these things can be exploited or copied in some way. I personally am one of the many
[08:45.040 --> 08:50.620]  cyborgs in the hacker community. I got an implant from Dangerous Things last year and can clone
[08:50.620 --> 08:56.160]  radio frequency ID badges to my hand and I use that to educate clients about the importance
[08:56.160 --> 09:05.160]  of cycling the guest badge so that way someone can't take that badge number and then come back
[09:05.160 --> 09:15.090]  with it and let themselves in. Next I want to talk about how to speak to clients in a productive way.
[09:17.240 --> 09:23.900]  What is your personal area of concern? In other words, ask a client what on earth
[09:23.900 --> 09:29.600]  they care about. I've demoed a parking lot to server room break-in in four minutes
[09:29.600 --> 09:35.160]  and had a client shrug their shoulders. Their dollars were in a manufacturing area
[09:35.160 --> 09:42.880]  in another more secure location. Ask your client what they want you to put time into.
[09:42.880 --> 09:49.900]  Being efficient is a good way to get repeat clients in a role where often you're billing hourly.
[09:52.620 --> 09:57.120]  Don't miss any doors. There is no shame in verifying with a client
[09:57.120 --> 09:59.740]  that you have tested the entire perimeter.
[10:02.020 --> 10:08.880]  Ask which doors get the most traffic and which get the least. Some doors may have super beefy
[10:08.880 --> 10:14.660]  security while another may be a smoking area door, has people flowing in and out of it throughout
[10:14.660 --> 10:20.480]  the day, and has less security favoring convenience. Those are good doors to test
[10:20.740 --> 10:24.740]  a tailgating attack where you try and walk in behind an employee.
[10:27.450 --> 10:33.770]  Because you truly are a guest in the scenario of being a security risk assessor, you can test
[10:33.770 --> 10:42.090]  guest access policies firsthand. In some cases, if it is in scope, meaning if the client has agreed
[10:42.090 --> 10:47.930]  to it ahead of time, try entering the client premises and asking to use the restroom. Then
[10:47.930 --> 10:55.250]  see how far you can get into the building unattended. If you show up and notice a robust
[10:55.250 --> 11:02.270]  check-in policy, maybe with a photo and temp badge, great. That is often not the case.
[11:02.490 --> 11:10.090]  Do you get an escort? Also a bonus. Can I keep an RFID badge and replay it when I come back
[11:10.090 --> 11:16.490]  next year for an assignment? Not ideal, but I've seen that before. Do you get watched like you're
[11:16.630 --> 11:20.810]  a suspicious hacker in a hoodie, or is there instant trust once you've made it past the
[11:20.810 --> 11:27.890]  perimeter? Final fun thing to look for if you get a guest badge. Where can you get in the
[11:27.890 --> 11:33.730]  building? You might be surprised to find yourself in a CEO or CFO office if you're lucky.
[11:36.070 --> 11:43.410]  Here we see some extremely robust guest security policies in action. Armed guards are monitoring a
[11:43.410 --> 11:49.910]  guest who is also restrained and has their tools confiscated temporarily. Someone in a security
[11:49.910 --> 11:56.310]  someone in security operations hands the guest off to a person of authority who is also armed
[11:56.310 --> 12:02.090]  for the purposes of communication. This is a bit much, but similar procedures are not unheard of
[12:02.090 --> 12:11.260]  in a military or DoD establishment. As a social engineering enthusiast myself, this is a huge
[12:11.260 --> 12:17.360]  topic. Entire companies are dedicated to just educating and empowering employees to act as
[12:17.360 --> 12:25.860]  part of the security team for a company. Here are quick points on the matter. Gamify your security
[12:25.860 --> 12:31.680]  training. A traveling trophy can go on the desk of the person with the least clicks on email
[12:31.680 --> 12:38.180]  phishing one month. Or maybe someone else who always locks their computer when they head to
[12:38.180 --> 12:44.380]  the break room. Be creative. Let employees know that they are an integral part in the security
[12:44.380 --> 12:51.040]  of their company and that they can be the first line of defense. Every employee is part of the
[12:51.040 --> 13:01.330]  security team. As a social engineering enthusiast, this is equally important. You want to make sure
[13:01.330 --> 13:08.190]  you're establishing rapport with your clients. You want them to want you to come back. Constructive
[13:08.190 --> 13:17.890]  criticism can be done in a very positive way. While there have been tons of talks about how to
[13:17.890 --> 13:24.290]  exploit mechanical components of physical security, there have been just a few that cover
[13:24.290 --> 13:29.670]  the specifics of educating the clients on how to go about resolving the exploits that you've
[13:29.670 --> 13:36.670]  demonstrated on the job. Constructive criticisms are the way to go. A positive focus is absolutely
[13:36.670 --> 13:42.190]  critical. Directed or accusatory verbiage is never productive. Saying things like,
[13:42.190 --> 13:45.970]  this is so bad, or I can't believe you set it up this way,
[13:45.970 --> 13:51.210]  need to be replaced with, we have some good opportunities here for improvement.
[13:51.650 --> 13:57.910]  Simple phrasing can mean a huge world of difference. Also, leading a client to come
[13:57.910 --> 14:03.690]  to their own conclusions through education and demonstration will work wonders for client morale.
[14:06.030 --> 14:10.530]  Here is the show and tell part. This really is my favorite part of the job.
[14:12.880 --> 14:17.500]  Showing the defender's vulnerabilities on-site is immensely fun and can have an
[14:17.500 --> 14:23.400]  extremely positive impact. Telling someone you can bypass a door versus showing them how
[14:23.400 --> 14:27.920]  has a huge difference in the likelihood that a mitigation will be implemented.
[14:28.340 --> 14:33.020]  This step in the process also gets the most heads popping into the room.
[14:33.220 --> 14:38.740]  It gets people excited about the security of their company. I have yet to run across a group
[14:38.740 --> 14:43.340]  of employees that doesn't show interest in an under-door tool or a latch slip.
[14:46.270 --> 14:52.210]  This is pretty big. This is all about soft skills and keeping people calm in an otherwise
[14:52.210 --> 14:58.330]  stressful environment. Fear, uncertainty, and doubt have no place when you're trying to be productive.
[15:01.180 --> 15:08.920]  You want to avoid saying things like, oh, this is bad, or you've done this incorrectly. Instead,
[15:08.920 --> 15:16.140]  be inclusive and positive. We can fix this. No big deal. Make sure that you're explaining things.
[15:16.140 --> 15:22.180]  You're not telling them. You don't want to just send an email with resolutions. You want to
[15:22.180 --> 15:29.780]  actually have a human conversation. This is pretty much the best explainer of fear, uncertainty,
[15:29.780 --> 15:35.040]  and doubt and why it can damage a client relationship. Fear is not a good motivator
[15:35.040 --> 15:39.860]  to get risks mitigated. Educate and empower. Never belittle or disrespect.
[15:43.720 --> 15:48.800]  Provide some means for clients to reach out to you. Don't be out of touch.
[15:50.240 --> 15:56.140]  A reputable company should provide you with a company email, and if you're lucky, a company
[15:56.140 --> 16:02.660]  phone number. This can separate work and home, and keeping a work-life balance in this particular
[16:02.660 --> 16:07.800]  career field can be challenging at times. Make sure to also set expectations about when you
[16:07.800 --> 16:16.960]  can be reached and how long it may take for you to respond. I feel education is the most
[16:16.960 --> 16:21.640]  important aspect of hacking and security. That's not to say that a four-year degree or anything
[16:21.640 --> 16:28.800]  like that is needed. Kudos if you're going that route. The different approaches to learning
[16:28.800 --> 16:36.360]  are varied, but here are a few. Podcasts, YouTube, and Udemy were big wins for me personally.
[16:38.120 --> 16:44.040]  If you want to get into lockpicking or just see some jaw-dropping feats of lock exploits,
[16:44.040 --> 16:49.260]  then look no further than Lockpicking Lawyer. The content on his channel is consistently enjoyable
[16:49.260 --> 16:56.700]  and never stale or boring. If you are an auditory learner, then podcasts are fantastic. Darknet
[16:56.700 --> 17:02.120]  Diaries is amazing, with great storytelling and incredible guests. The lessons learned are
[17:02.120 --> 17:06.340]  valuable and always come in an entertaining package. If you want to develop your own podcast,
[17:06.340 --> 17:10.260]  or if you want to direct your attention at certification to prove you know a specific
[17:10.260 --> 17:16.060]  skillset, then Mike Myers on Udemy has, I personally think, the best online content
[17:16.060 --> 17:22.180]  for CompTIA Security Plus and Network Plus. He does cover some physical security content
[17:22.180 --> 17:28.200]  in the Security Plus lecture, and he does it in a very fun way. These three are Bill Nye-level
[17:28.200 --> 17:32.420]  explainers, for those of you who are old enough to remember Bill Nye from the 90s.
[17:34.460 --> 17:40.540]  Well, not everyone learns from books. I know I certainly can, specifically if the content is
[17:40.540 --> 17:48.140]  fascinating to me. I tried to trim this down to a short list that I can recommend for everybody.
[17:49.400 --> 17:55.000]  Social Engineering, The Science of Human Hacking by Chris Hadnagy is a very professional
[17:55.000 --> 18:00.340]  and comprehensive guide to social engineering. If you want to learn more about that kind of
[18:00.340 --> 18:06.600]  engagement, Practical Lock Picking by Deviant gives you a more complete understanding of locks,
[18:06.600 --> 18:12.580]  not just how to pick them. The Art of Deception by Kevin Mitnick is super famous, and if you
[18:12.580 --> 18:18.420]  haven't read it, you really should. Although, I will mention that Chris Hadnagy's book is more
[18:18.420 --> 18:23.800]  of a scientific and professional approach to learning about social engineering. What every
[18:23.800 --> 18:29.620]  body is saying is very useful if reading people. This is helpful in everyday life as well as on
[18:29.620 --> 18:35.480]  the job. Just like previously, I wanted to throw in something strictly for those aiming at
[18:35.480 --> 18:41.880]  certifications. I really am a huge fan of anything and everything under the ExamCram
[18:41.880 --> 18:47.560]  brand. I really think they portray the information in a way that's very easy to absorb.
[18:49.740 --> 18:55.460]  This was a big topic for me, and I hope to emulate those who helped me and pay it forward,
[18:55.460 --> 19:00.920]  so to speak. Approach professionals and listen to talks.
[19:02.180 --> 19:08.940]  Be courteous. These people are busy and have their own lives. That consideration aside,
[19:08.940 --> 19:13.660]  security professionals are people and like to share their experiences. I have received an
[19:13.660 --> 19:18.320]  amazing amount of support from the security community and wanted to list folks who were
[19:18.320 --> 19:24.820]  large influences for me. I encourage you to pore over previous DEF CON talks and find individuals
[19:24.820 --> 19:31.080]  who share your personal mindset and speak to you specifically. Use the knowledge shared in
[19:31.080 --> 19:39.300]  venues like this to build an even stronger community of sharing. While I know I am
[19:39.300 --> 19:44.540]  biased as an instructor, I recommend taking guided courses if you are able.
[19:47.040 --> 19:54.320]  Here are some I personally plan to attend as soon as we are able. You can learn physical security,
[19:54.320 --> 19:59.460]  social engineering, or really anything you like in a course guided by a professional
[19:59.460 --> 20:06.520]  in the field. A textbook will never have all the answers. Being able to raise your hand and ask the
[20:06.520 --> 20:12.600]  what ifs and what about this type questions are hugely valuable.
[20:16.760 --> 20:22.340]  Since we are all at DEF CON, you all have already nailed this so well played,
[20:22.340 --> 20:27.780]  attending events and local meetups is a great way to meet new people and network.
[20:30.440 --> 20:36.200]  The people I have met in Orlando through meetups and events have truly driven my career. I was able
[20:36.200 --> 20:41.240]  to learn all the skills I couldn't practice because either I personally did not have the tools
[20:41.240 --> 20:46.800]  or the content online didn't quite break things down well enough for me. Just getting introduced
[20:46.800 --> 20:52.260]  to people that could help me understand things between the lines of textbooks was awesome.
[20:52.260 --> 20:58.180]  Huge shout out to the folks at CitrusSec in Orlando and DC407.
[21:01.160 --> 21:06.440]  If you see your city on the list, then that means there is a chapter of the Open Organization
[21:06.440 --> 21:11.020]  of Lockpickers in your town. I encourage you to reach out to your local tool group
[21:11.020 --> 21:17.080]  and meet some cool people. If you don't see your city, good news! You can now start a chapter
[21:17.080 --> 21:22.240]  in your town and find people that are into physical security. The Open Organization of
[21:22.240 --> 21:28.320]  Lockpickers, or TOOL, has been amazing to me and I love being a member.
[21:31.160 --> 21:37.240]  Second to last slide, I promise, but I want to say thanks to my family and friends. Mostly my
[21:37.240 --> 21:43.040]  wife and kids. Thank you for understanding when I disappear into my lab for hours at a time for
[21:43.040 --> 21:49.920]  random projects. Thanks Orlando hackers for just being total class acts. I want to thank TOOL for
[21:49.920 --> 21:54.240]  providing me an unbelievable networking opportunity and the ability to practice
[21:54.240 --> 21:59.960]  hands-on with locks and tools I would never have seen otherwise. Thanks GoldSky Security
[21:59.960 --> 22:06.120]  for the opportunity to learn and grow in an incredible supportive environment. DEF CON,
[22:06.120 --> 22:11.700]  thank you for having me. This event is so special. And to the hacker community at large,
[22:11.700 --> 22:15.000]  keep being curious and keep pushing boundaries.
[22:17.420 --> 22:23.500]  I love helping people who are getting started or maybe who are stuck on something. Feel free
[22:23.500 --> 22:29.960]  to reach out. I might take a bit to respond, but I will do my level best to help. This was a lot
[22:29.960 --> 22:35.040]  of information in a short amount of time. So if you want clarification on something,
[22:35.040 --> 22:40.920]  I am at 31337Magician on Twitter, and here is my LinkedIn if you prefer that channel.
[22:41.020 --> 22:44.820]  Thanks for listening to my talk. That's all I have on this topic,
[22:44.820 --> 22:47.820]  but feel free to reach out if you want to have anything answered
[22:47.820 --> 22:52.460]  that you are still curious about. Have an excellent day and enjoy DEF CON.
